-
Notifications
You must be signed in to change notification settings - Fork 10.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(ci): improvements to gha workflows #7089
base: master
Are you sure you want to change the base?
Commits on Mar 12, 2024
-
chore(ci): apply hardening to ci jobs
- chore: apply 'Harden Runner' auditing to all ci tasks - chore: apply `persist-credentials: false` to checkout tasks - chore: publish dependency graph and add dependency review check - chore: add codeql scan job (temp) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3.6.0...b4ffde6) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 4.1.3. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@0efb1d1...9129d7d) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: StepSecurity Bot <[email protected]> Signed-off-by: Sam Gammon <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 095952a - Browse repository at this point
Copy the full SHA 095952aView commit details -
chore(ci): refactor into reusable workflows
This change refactors the main CI workflow into two new workflows, `on.pr.yml` and `on.push.yml`, which each call into the exiting CI job as a reusable workflow. This has the nice benefit of putting all tests, checks, builds, etc., on one screen during development on GitHub, allows customization of the PR vs. push flow, and yet keeps behavior fully consistent between the two. - chore: move ci jobs to `workflow_call` trigger - chore: add entrypoint jobs for PR and Push events - chore: cleanup permissions and dispatch checks/tests Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a5826e6 - Browse repository at this point
Copy the full SHA a5826e6View commit details -
chore(ci): switch to enforced hardening mode
This changeset switches the StepSecurity hardening action to enforced mode, where previously it was running in `audit` mode. Now, audit logs have been gathered and it is time to seal off the list of accessible network endpoints for a given job. - chore: gather and apply network endpoints for each job - chore: move to `block` mode for `egress-policy` in `step-security/harden-runner` Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 7faf45d - Browse repository at this point
Copy the full SHA 7faf45dView commit details -
feat(ci): slsa provenance support
This changeset adds SLSA 3+ provenance support to the workflow. The main CI run has now been split into two: `ci.build.yml`, which only builds the library and is provenance-capable, and `ci.test.yml`, which is the previous CI logic. The regular build logic is applied only on push, and can be applied on PRs too, with publish of provenance material turned off. The test suite is invoked from PRs. The workflows have been split into build/test phases to avoid publishing provenance data and GitHub artifacts for build matrix outputs. JARs are uniform across OS targets, so there is no need to gather and publish for more than Ubuntu. - feat: add slsa support to build workflow - chore: split `test` into `build` and `test` workflows - chore: use new workflows (build/test) from push/pr triggers Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9417e1c - Browse repository at this point
Copy the full SHA 9417e1cView commit details -
chore(ci): build with
--strict-checksums
Fails the build if any downloaded dependencies fail their checksum verification. - chore: add `--strict-checksums` flag to `mvnw` calls in ci
Configuration menu - View commit details
-
Copy full SHA for 3403c87 - Browse repository at this point
Copy the full SHA 3403c87View commit details -
chore(ci): build avoidance (javadoc, gpg)
- chore: don't rebuild javadoc during tests in ci - chore: don't run with gpg enabled in ci Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0d6f994 - Browse repository at this point
Copy the full SHA 0d6f994View commit details -
chore(build): parameterize deploy repositories
Adds two build parameters - `publishing.repository.snapshots`: Snapshot repo to deploy to - `publishing.repository.releases`: Releases repo to deploy to Both default to their current values, Sonatype. This small inert change allows a fork to easily publish to a different repository without resorting to a code change. Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9c03223 - Browse repository at this point
Copy the full SHA 9c03223View commit details -
feat(build): sigstore publishing plugin
This changeset adds the Maven Sigstore plugin for use during publishing to Sonatype and other public repositories. - chore: add sigstore plugin to build Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5a3edfe - Browse repository at this point
Copy the full SHA 5a3edfeView commit details -
chore(ci): document gha workflows
Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 36538cc - Browse repository at this point
Copy the full SHA 36538ccView commit details -
Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c5846e1 - Browse repository at this point
Copy the full SHA c5846e1View commit details